2003/R2 certificate server questions

microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late! 

Subject Author Date 2003/R2 certificate server questions eric.hall 03-13-2007  Re: 2003/R2 certificate server questions Brian Komar [MV... 03-13-2007  Re: 2003/R2 certificate server questions eric.hall 03-13-2007  Re: 2003/R2 certificate server questions Brian Komar [MV... 03-13-2007  Re: 2003/R2 certificate server questions eric.hall 03-13-2007  Re: 2003/R2 certificate server questions Brian Komar [MV... 03-13-2007

Posted by eric.hall on March 13, 2007, 10:27 am Please log in for more thread options [google groups is having posting problems; apologies for any dupes] I am currently planning a private CA rollout for my network. I have been using a single openssl CA but I am looking to do a two-tier model, so that the root CA only signs a couple of sub-CAs and a couple of machines and users that are themselves in the root. foo.com <--offline root, probably using openssl --corp.foo.com <--2003 R2 certificate server for corp.foo.com AD domain --labs.foo.com <--openssl certificate server for linux/samba/* domain The last time I did this I was using Windows Server 2000 and it wasn't all that flexible (or I couldn't figure it out, which is entirely possible). I've looked at Microsoft's "Best Practices" web pages for 2003 and it looks like it should work. I've also watched a couple of web casts on the subject, and it also appears that this should work, but all that material is pretty much designed for three-tier installs that are all 100% MS certificate servers with everything in the AD store. I'm not doing that, so... questions: What kind of CA type should I specify for the 2003 R2 box? I want it to be online, and I want to get the benefits of directory integrated certificates, but I also want to be able to issue random certificates for non-integrated users and devices and whatnot. This is probably the most confusing part to me, and where I ran into trouble with Windows 2000 Server. Can I use openssl CA for the off-line root? I know I can import the CA and CRL, but there is a lot of talk about AD in the material, so I'm worried about this. Will it work? There are some pretty robust recommendations against running a CA on a DC. However, given my current hardware restrictions, it seems like this is going to be necessary in the short-term (another year or so). The box is behind firewalls, only a couple of users will have access, and it won't be the whole root CA, so I'm not too concerned about the security issues. But will the management issues also apply (ie, can I move the cert store around, demote the DC, and whatnot?) Anythign else I should know? Thanks for the info Posted by Brian Komar [MVP] on March 13, 2007, 11:17 am Please log in for more thread options Short answers for now.. longer to follow later today In article <1173796055.831288.221690 show/hide quoted text @t69g2000cwt.googlegroups.com>, eric.hall@gmail.com says... show/hide quoted text > [google groups is having posting problems; apologies for any dupes] > > I am currently planning a private CA rollout for my network. I have > been using a single openssl CA but I am looking to do a two-tier > model, so that the root CA only signs a couple of sub-CAs and a couple > of machines and users that are themselves in the root. > > foo.com <--offline root, probably using openssl > --corp.foo.com <--2003 R2 certificate server for corp.foo.com AD > domain > --labs.foo.com <--openssl certificate server for linux/samba/* domain Should work. But, you could service the requests from the Win2k3 CA. But, it is valid show/hide quoted text > > The last time I did this I was using Windows Server 2000 and it wasn't > all that flexible (or I couldn't figure it out, which is entirely > possible). I've looked at Microsoft's "Best Practices" web pages for > 2003 and it looks like it should work. I've also watched a couple of > web casts on the subject, and it also appears that this should work, > but all that material is pretty much designed for three-tier installs > that are all 100% MS certificate servers with everything in the AD > store. I'm not doing that, so... questions: > > What kind of CA type should I specify for the 2003 R2 box? I want it > to be online, and I want to get the benefits of directory integrated > certificates, but I also want to be able to issue random certificates > for non-integrated users and devices and whatnot. This is probably the > most confusing part to me, and where I ran into trouble with Windows > 2000 Server. Make sure you are running on Enterprise Edition, and use an enterprise subordinate CA to meet your goals. show/hide quoted text > > Can I use openssl CA for the off-line root? I know I can import the CA > and CRL, but there is a lot of talk about AD in the material, so I'm > worried about this. Will it work? Yes, You just need to make sure that you correctly configure URLs for the CDP and AIA extension of the root cert (if any included) and for the issued sub CA certificates. Also ensure that the information is maintained and up-to-date at the URLs. show/hide quoted text > > There are some pretty robust recommendations against running a CA on a > DC. However, given my current hardware restrictions, it seems like > this is going to be necessary in the short-term (another year or so). > The box is behind firewalls, only a couple of users will have access, > and it won't be the whole root CA, so I'm not too concerned about the > security issues. But will the management issues also apply (ie, can I > move the cert store around, demote the DC, and whatnot?) > Rethink this one. If you put it on a DC, you cannot move it. This is the biggest issue in your design. Your only choice is to basically remove the DC and keep it as a CA. You cannot rename the CA netBIOS name nor change its domain membership. show/hide quoted text > Anythign else I should know? > > Thanks for the info > > Posted by eric.hall on March 13, 2007, 11:44 am Please log in for more thread options wrote: show/hide quoted text > In article <1173796055.831288.221690 > @t69g2000cwt.googlegroups.com>, eric.h...@gmail.com > says... show/hide quoted text > > foo.com <--offline root, probably using openssl > > --corp.foo.com <--2003 R2 certificate server for corp.foo.com AD > > domain > > --labs.foo.com <--openssl certificate server for linux/samba/* domain > Should work. But, you could service the requests from > the Win2k3 CA. I don't understand the second half of your response show/hide quoted text > > What kind of CA type should I specify for the 2003 R2 box? I want it > > to be online, and I want to get the benefits of directory integrated > > certificates, but I also want to be able to issue random certificates > > for non-integrated users and devices and whatnot. This is probably the > > most confusing part to me, and where I ran into trouble with Windows > > 2000 Server. > Make sure you are running on Enterprise Edition, and use > an enterprise subordinate CA to meet your goals. That will also let me manually create/sign certificates for use in things like switches and whatnot? With W2k EE, it seemed to just do automatic certs for users and machines, so this is my main point of concern. show/hide quoted text > > There are some pretty robust recommendations against running a CA on a > > DC. However, given my current hardware restrictions, it seems like > > this is going to be necessary in the short-term (another year or so). show/hide quoted text > Rethink this one. If you put it on a DC, you cannot move > it. This is the biggest issue in your design. Your only > choice is to basically remove the DC and keep it as a > CA. You cannot rename the CA netBIOS name nor change its > domain membership. Is this a feature of the "enterprise" CA, or is this a feature of all the CA types in 2003? openssl does not bind the CA to the machine identity but I can see why it would be useful and appropriate for AD integrated certs in particular. I can also uninstall the sub CA, revoke the cert, and reissue new certs if I move the sub CA later, right? I mean, creating an "enterprise" sub-CA doesn't permanently alter the directory does it? Posted by Brian Komar [MVP] on March 13, 2007, 3:48 pm Please log in for more thread options Inline In article <1173800685.119611.123960 show/hide quoted text @t69g2000cwt.googlegroups.com>, eric.hall@gmail.com says... show/hide quoted text > wrote: > > > In article <1173796055.831288.221690 > > @t69g2000cwt.googlegroups.com>, eric.h...@gmail.com > > says... > > > > foo.com <--offline root, probably using openssl > > > --corp.foo.com <--2003 R2 certificate server for corp.foo.com AD > > > domain > > > --labs.foo.com <--openssl certificate server for linux/samba/* domain > > Should work. But, you could service the requests from > > the Win2k3 CA. > > I don't understand the second half of your response > You really do not need an additional subordinate CA running OPenSSL to service requests from Linux/samba clients show/hide quoted text > > > What kind of CA type should I specify for the 2003 R2 box? I want it > > > to be online, and I want to get the benefits of directory integrated > > > certificates, but I also want to be able to issue random certificates > > > for non-integrated users and devices and whatnot. This is probably the > > > most confusing part to me, and where I ran into trouble with Windows > > > 2000 Server. > > Make sure you are running on Enterprise Edition, and use > > an enterprise subordinate CA to meet your goals. > > That will also let me manually create/sign certificates for use in > things like switches and whatnot? With W2k EE, it seemed to just do > automatic certs for users and machines, so this is my main point of > concern. Automatic certs, Key archival and recovery, customizable certificate templates. Lots. show/hide quoted text > > > > There are some pretty robust recommendations against running a CA on a > > > DC. However, given my current hardware restrictions, it seems like > > > this is going to be necessary in the short-term (another year or so). > > > Rethink this one. If you put it on a DC, you cannot move > > it. This is the biggest issue in your design. Your only > > choice is to basically remove the DC and keep it as a > > CA. You cannot rename the CA netBIOS name nor change its > > domain membership. > > Is this a feature of the "enterprise" CA, or is this a feature of all > the CA types in 2003? openssl does not bind the CA to the machine > identity but I can see why it would be useful and appropriate for AD > integrated certs in particular. > This is a Microsoft CA thing. show/hide quoted text > I can also uninstall the sub CA, revoke the cert, and reissue new > certs if I move the sub CA later, right? I mean, creating an > "enterprise" sub-CA doesn't permanently alter the directory does it? You can definitely do this but high TCO Posted by eric.hall on March 13, 2007, 4:29 pm Please log in for more thread options wrote: show/hide quoted text > You really do not need an additional subordinate CA > running OPenSSL to service requests from Linux/samba > clients The business groups are managed separately. But it's nice to know--I did not think it was possible to run multiple cert authorities in the same machine with Windows Cert Services, since there is only a one- time setup. show/hide quoted text > > That will also let me manually create/sign certificates for use in > > things like switches and whatnot? With W2k EE, it seemed to just do > > automatic certs for users and machines, so this is my main point of > > concern. > Automatic certs, Key archival and recovery, customizable > certificate templates. Lots. Okay great. I guess all this stuff is in the templates, which is what choked me before. I'll go find the docs for this. show/hide quoted text > > I can also uninstall the sub CA, revoke the cert, and reissue new > > certs if I move the sub CA later, right? I mean, creating an > > "enterprise" sub-CA doesn't permanently alter the directory does it? > You can definitely do this but high TCO Not a major concern in this case, since there are very few nodes and users in that organization. Thanks for the answers! Similar Threads Posted 2003/R2 certificate server questions March 12, 2007, 10:24 pm Assign manage printer rights via group policy? (2003r2) January 24, 2008, 4:44 am Re: server 2008 questions March 5, 2009, 8:37 pm Questions about the artical "DCOM Security Enhancements" for Windows Server 2003 SP1 January 15, 2006, 9:47 pm Problem when requesting a certificate to IIS server (certificate web enrollment) October 4, 2005, 9:50 am Server Authentication Certificate not show in certificate template October 12, 2009, 3:52 am SSL CSR questions January 13, 2009, 5:35 pm Wired 802.1x Questions May 1, 2006, 3:30 pm PKI revocation questions... September 10, 2008, 9:18 am Questions about CDP an AIA distribution points July 11, 2006, 7:41 am